Re: [NSE Script] MySQL Server Information

[jah <jah () zadkiel plus com>]

On 19/12/2007 01:53, Rob Nicholls wrote:
> I can definitely see the benefit of Chris' suggestion and Thomas' improved
> script for checking a handful of passwords for default accounts (a lot
> easier than firing up another program just to check that "sa" isn't set to
> "password" or left blank), and it might be worth checking default usernames
> and passwords on other well known services too (Scott:Tiger, cisco:cisco,
> admin:password etc.); I think Chris' original comment about checking for
> weak passwords threw me as it wasn't clear at the time just how limited the
> check for weak passwords would be.
>   
> I'd probably like an additional option of being able to specify two files, one
> for usernames (that I can type up, or perhaps dump out of getacct.exe or
> enum.exe) and one to point at whatever huge dictionary file I've got to
> hand, rather than a single file full of pairs. I can't see my dictionary
> files changing that often, but I can see the list of users changing a lot 
Rob!  You raise questions (not reproduced here) that will take some 
serious pondering and should indeed be pondered and discussed....
I think you agree that having the ability to check for some default and 
and a selection of weak passwords against a MySQL service is a good 
thing and that there should be safeguards against doing stuff the user 
doesn't necessarily want to do.
It sounds to me like we're kind of steering away from coding this 
functionality in a script, but to provide it (in the future) as a 
library to avoid redundancy of code right across the board and allow 
it's use for any service.  If that's possible, I reckon it's a winner of 
an idea.

Going for a ponder.

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org